Marketers at security giant McAfee peddle their Secure trust mark service as an easy way for online merchants to showcase the safety of their websites. These sites include a link to a seal showing it has passed a rigorous security scan that is performed daily. But a pair of security consultants say the program in many cases can tip off malicious hackers to easy-to-exploit vulnerabilities that might otherwise not be found.

That's because a design flaw in the service, and in competing services offered by Trust Guard and others, makes it easy to discover in almost real time when a customer has had the seal revoked. A revocation is a either a sign the site has failed to pay its bill, has been inaccessible for a sustained period of time, or most crucially, is no longer able to pass the daily security test.

"It's basically McAfee, Trust Guard, and all these other guys raising the flag, saying, 'Hey guys, these sites are vulnerable to attack. Go after them,'" Shane MacDougall, a security researcher with Tactical Intelligence, told Ars. "They all suffer from this fatal design flaw, which is you're raising a flag over your castle and you're pulling the flag down when you're vulnerable to attack. Who in their right mind would do that?"

Representatives from McAfee and Trust Guard didn't respond to e-mails seeking comment for this article.

At last week's DerbyCon security conference in Louisville, Kentucky, MacDougall unveiled Oizys, a tool that automatically enumerates websites that have recently had their seals removed. Designed by MacDougall and colleague Jay James, it works by searching publicly accessible website folders that store the images for each customer that has signed up for the service. When the normal icon has been replaced by a transparent image that is 1 pixel by 1 pixel in size, the script indexes the corresponding website. In cases where the domain names have been obscured, Oizys (an allusion to the Greek goddess of misery) uses optical character recognition to pull the domain name from a corresponding business card.

It's not the first time security researchers have poked holes in the website trust mark programs, which attempt to act as a good housekeeping seal of approval for e-commerce sites. In 2008, consultant Russ McRee documented XSS, or cross-site scripting errors in five sites that prominently carried the McAfee marks, which at the time carried the words "Hacker Safe." McRee's findings came a few months after a separate group of researchers documented security bugs in 60 e-commerce sites that also carried McAfee's "Hacker Safe" seal.

A McAfee spokesman at the time said that XSS bugs were rated less severely than other types of Web vulnerabilities such as SQL injection vulnerabilities, which are the result of Web applications that take user-supplied input to complete back-end database commands. XSS flaws, by contrast, allow attackers to execute arbitrary JavaScript or HTML in an end-user's browser in the context of the website they are visiting.

The effectiveness of the technique MacDougall and James devised is that it allows hackers to identify sites that are likely to succumb to attack without directly scanning them. Attackers are then free to probe the list using programs such as Nessus. MacDougall said he identified other weaknesses in various trust mark programs, including a delay of three days to one week from the time a site fails a security scan and when its seal is removed.

23 Reader Comments

In 2008, consultant Russ McRee documented XSS, or cross-site scripting errors in five sites that prominently carried the McAfee marks, which at the time carried the words "Hacker Safe." McRee's findings came a few months after a separate group of researchers documented security bugs in 60 e-commerce sites that also carried McAfee's "Hacker Safe" seal.

I don't think there is such a thing as "hacker-safe". Something might be so secure as to be able to withstand most attacks, but if someone wants in bad enough, given enough time they'll find a way in.

There are other services out there that do similar things. I believe it's AVG that will install a browser plugin and put a "safe" mark next to links returned in google searches. Are these alternatives also vulnerable?

In 2008, consultant Russ McRee documented XSS, or cross-site scripting errors in five sites that prominently carried the McAfee marks, which at the time carried the words "Hacker Safe." McRee's findings came a few months after a separate group of researchers documented security bugs in 60 e-commerce sites that also carried McAfee's "Hacker Safe" seal.

I don't think there is such a thing as "hacker-safe". Something might be so secure as to be able to withstand most attacks, but if someone wants in bad enough, given enough time they'll find a way in.

They're using FDA math. Any value less than an arbitrary value over zero is equal to zero. For example, if there is only a 5.3% chance that a hacker could get in, its hacker free, so to speak.

Reminds me of something that happened in my dorm in college. The RAs had this plan to reduce dorm-room burglary by putting a note on the doors of any room they found unlocked, to remind the students to lock their doors while they're out.

Then someone pointed out to them that it might not be a grand idea to actually mark easily accessible dorm rooms for the thieves.

There are other services out there that do similar things. I believe it's AVG that will install a browser plugin and put a "safe" mark next to links returned in google searches. Are these alternatives also vulnerable?

In my experience AVG is terrible and will slow down your computer as bad a Norton or McAffee products will. MSE is the only sane solution right now as far as I can tell.

There are other services out there that do similar things. I believe it's AVG that will install a browser plugin and put a "safe" mark next to links returned in google searches. Are these alternatives also vulnerable?

I've used McAfee, Zone Alarm, and Kaspersky currently. They all have a feature which puts a Safe, Unknown, or Unsafe flag next to the googled search results.

The article has a silly premise, what makes these websites insecure is their insecurity, not the discussion of it. This is the same kind of flawed logic that causes people to pursue and punish whistleblowers rather than concentrating on the problems that were found.

The article has a silly premise, what makes these websites insecure is their insecurity, not the discussion of it. This is the same kind of flawed logic that causes people to pursue and punish whistleblowers rather than concentrating on the problems that were found.

While what you are saying is technically correct, hanging a lantern on something will inevitably draw attention to it. If the security companies are essentially maintaining a method for the black-hats to curate a list of viable targets, they need to stop.

IMHO, as near as I can tell, the only thing these "seals" demonstrate is the fact that one has paid the purveyor a certain amount of money. It apparently has little to do with security. More protection rackets. And yes, longhairedboy, MSE is the ONLY sane approach, and the only one with no horse in the security protection software race. I've always been suspicious of companies that offer "protection" software and, at the same time, proport to instruct one on the potential dangers. Sounds a little too much like snake-oil to me.

In 2008, consultant Russ McRee documented XSS, or cross-site scripting errors in five sites that prominently carried the McAfee marks, which at the time carried the words "Hacker Safe." McRee's findings came a few months after a separate group of researchers documented security bugs in 60 e-commerce sites that also carried McAfee's "Hacker Safe" seal.

I don't think there is such a thing as "hacker-safe". Something might be so secure as to be able to withstand most attacks, but if someone wants in bad enough, given enough time they'll find a way in.

Agreed. Security is always a relative thing. You can think of most attacks or the simplest attacks/those that have been used before but there is always someone smarter or more motivated than you to get into your system.

longhairedboy wrote:

ClownRazer wrote:

There are other services out there that do similar things. I believe it's AVG that will install a browser plugin and put a "safe" mark next to links returned in google searches. Are these alternatives also vulnerable?

In my experience AVG is terrible and will slow down your computer as bad a Norton or McAffee products will. MSE is the only sane solution right now as far as I can tell.

I somewhat agree. For the 'free' antivirus, MSE is the way to go. If you are just surfing regular old websites, it's going to keep you pretty much bulletproof safe.

If you are downloading games cracks/trainers or similar, that is when you need a paid solution unless you are 'super-techie' who knows the 'safe' websites to get those things from.

I somewhat agree. For the 'free' antivirus, MSE is the way to go. If you are just surfing regular old websites, it's going to keep you pretty much bulletproof safe.

If you are downloading games cracks/trainers or similar, that is when you need a paid solution unless you are 'super-techie' who knows the 'safe' websites to get those things from.

The paid solutions don't perform any better than MSE does. All of the top AV products have comparable new virus catch rates, the problem is that they all catch a different subset. And they all waste varying amounts of your system resources to do so. Paid solutions aren't any better, multiple solutions is better. And of the single AV solutions, MSE is easily in the top ranks for low resource usage for home users.

And yes, longhairedboy, MSE is the ONLY sane approach, and the only one with no horse in the security protection software race. I've always been suspicious of companies that offer "protection" software and, at the same time, proport to instruct one on the potential dangers. Sounds a little too much like snake-oil to me.

Except MSE tests well below many commercial products on both protection and repair.

That's because a design flaw in the service, and in competing services offered by Trust Guard and others, makes it easy to discover in almost real time when a customer has had the seal revoked.

Quote:

MacDougall said he identified other weaknesses in various trust mark programs, including a delay of three days to one week from the time a site fails a security scan and when its seal is removed.

You can't claim both of these as flaws at the same time. If it a flaw to alert people when a site is unsafe, then giving the website operators some time to fix the problem before disclosing the vulnerability is a potential solution, not an additional flaw. And vice-versa.

"You can't claim both of these as flaws at the same time. If it a flaw to alert people when a site is unsafe, then giving the website operators some time to fix the problem before disclosing the vulnerability is a potential solution, not an additional flaw. And vice-versa."

WTH? Of course you can claim both are an issue, one does not negate the other...

Issue one is that it is a flag that alerts hackers to a vulnerable site - which is a risk to the site owner

Issue two is that a site can be vulnerable while it says it isn't - which is a risk to a consumer visiting the site who assumes it is secure when in fact it could be pwned by hackers.

They are two different ways the seals are busted, just from different POV's vis a vis who is the victim.

IMHO, as near as I can tell, the only thing these "seals" demonstrate is the fact that one has paid the purveyor a certain amount of money. It apparently has little to do with security. More protection rackets. And yes, longhairedboy, MSE is the ONLY sane approach, and the only one with no horse in the security protection software race. I've always been suspicious of companies that offer "protection" software and, at the same time, proport to instruct one on the potential dangers. Sounds a little too much like snake-oil to me.

The fact of the matter is that back in the day Norton was a great product. Then it got too popular, too bloated, and all the black-hats knew to test against it to make sure their shit was successfully hiding. For a long while AVG was great, and then the same happened: it got too popular, and all the black-hats tested against it. At the moment MSE is an excellent solution (though they seriously need to separate the definition updates from windows update; there's on provision for automatically updating the definitions without setting ALL windows updates to automatic, which is not desirable or a good idea for your system's stability).

Give it a couple more years and you'll find the cycle repeats, MSE will become too popular, all the black-hats will test against it, and it will cease to be effective. A new program will come along, and we can use that.

As to the tinfoil hat, there are reputable companies in the industry, Symantec among them (even if their software's been crap for the last decade or so), just as there are less reputable ones that will manufacture issues to sell you solutions to. They exist in every market, but you shouldn't let that make you think there aren't risks out there, nor should you let that make you think that MSFT is the only one to trust (they should never be trusted, for that matter). Just because you have an interest in it doesn't mean you can't maintain impartiality. Not all of these companies charge for their main services.

Another option for you might be ClamAV, which is the usual go-to on linux machines, and is capable of scanning windows machines as well. I've not heard anything bad about it, though I've rarely used it myself.

godel wrote:

davnel wrote:

And yes, longhairedboy, MSE is the ONLY sane approach, and the only one with no horse in the security protection software race. I've always been suspicious of companies that offer "protection" software and, at the same time, proport to instruct one on the potential dangers. Sounds a little too much like snake-oil to me.

Except MSE tests well below many commercial products on both protection and repair.

In 2008, consultant Russ McRee documented XSS, or cross-site scripting errors in five sites that prominently carried the McAfee marks, which at the time carried the words "Hacker Safe." McRee's findings came a few months after a separate group of researchers documented security bugs in 60 e-commerce sites that also carried McAfee's "Hacker Safe" seal.

I don't think there is such a thing as "hacker-safe". Something might be so secure as to be able to withstand most attacks, but if someone wants in bad enough, given enough time they'll find a way in.

The highlighted problem involves hackers who are not intent on taking down a single site or a select group of sites. Instead this is a winnowing tool for hackers who are doing benefit/time analysis to generate a list of targets that will produce the greatest profit for the least investment.

It is a tool that is of benefit also to hackers targeting a large selection of specific sites such as banks, utilities and other large, but specific groups. Picking off the low hanging fruit is the way to do the most damage over the short term. By flagging sites that are considered vulnerable, low hanging fruit is flagged rather than being discovered by hacker initiated probing.

MSE's disadvantage, and AFAIC it's greatest advantage, is that one must be using a legal, activated, Genuine Advantage cleared copy of Windows to use it. Under those conditions, and according to my observations, it IS possible to manually update MSE. Such an item is regularly included with Windows Update, but, again, requires a valid, activated copy of Windows. I have no problem with that. You want the services, you pay for the OS. Simple. Besides, most people get Windows as part of a computer purchase, which means they're automatically cleared. The junk AV is added to the system by the computer manufacturer, along with all the rest of the crapware. MSE is almost never active. You have to clean out the crapware and install MSE.

As for it becoming too popular, I don't think so. The vast majority of computer users never change a thing in their machines. They don't know how, are afraid to "break" something if they mess it up, and are unwilling to pay someone else to do it. Those few of us that DO know how are already using it. The requirement for a valid license limits the number of active users, so maybe it won't get too popular.

MSE's disadvantage, and AFAIC it's greatest advantage, is that one must be using a legal, activated, Genuine Advantage cleared copy of Windows to use it. Under those conditions, and according to my observations, it IS possible to manually update MSE. Such an item is regularly included with Windows Update, but, again, requires a valid, activated copy of Windows. I have no problem with that. You want the services, you pay for the OS. Simple. Besides, most people get Windows as part of a computer purchase, which means they're automatically cleared. The junk AV is added to the system by the computer manufacturer, along with all the rest of the crapware. MSE is almost never active. You have to clean out the crapware and install MSE.

As for it becoming too popular, I don't think so. The vast majority of computer users never change a thing in their machines. They don't know how, are afraid to "break" something if they mess it up, and are unwilling to pay someone else to do it. Those few of us that DO know how are already using it. The requirement for a valid license limits the number of active users, so maybe it won't get too popular.

You realize, of course, that WGA was cracked less than 24 hours after they implemented it, right? WGA, like all other forms of DRM, only hurts legitimate customers (and that includes legit copies of windows getting flagged by WGA lol).

Just like a carving knife, this can be used for good and bad. This highlights nothing new, a determined adversary, an organised criminal gang or whatever, will collect a list of potential assets with our without a flag. The logic of detecting a site because of a sponsored flag tells you not a great deal, that you can't obtain from simply creating a script to test for versions of software, check for exposures, and deploy your nicely crafted zero-day. It's the same amount of effort.

I'm not convinced this is a find of any significance at all, now, exploiting and spoofing the McAfee banner, that would be a find! Imagine...Let's focus articles on real "hacking" conferences, like the Chaos Computer Club.

Just like a carving knife, this can be used for good and bad. This highlights nothing new, a determined adversary, an organised criminal gang or whatever, will collect a list of potential assets with our without a flag. The logic of detecting a site because of a sponsored flag tells you not a great deal, that you can't obtain from simply creating a script to test for versions of software, check for exposures, and deploy your nicely crafted zero-day. It's the same amount of effort.

I'm not convinced this is a find of any significance at all, now, exploiting and spoofing the McAfee banner, that would be a find! Imagine...Let's focus articles on real "hacking" conferences, like the Chaos Computer Club.

Except it IS useful beyond what you describe. Taking active efforts against a possible target site would reveal us scanning them, giving us away. Further, we could potentially be scanning for a wider range of vulnerabilties, whereas with these certifications we can know exactly what vulnerabilities it checks for, narrowing the pool of vulnerabilities we need to check against, and allowing us to know with reasonable certainty that one of those vulnerabilities is present.

It's by no means an end-of-the-world scenario, but the usefulness of this information for malicious purposes is definitely there. It does reduce the potential workload in finding vulnerable sites, it provides a list of sites that almost definitely do have some known vulnerability, it reduces the workload and time to find the specific vulnerability on the specific target machine, and it reduces the chances of detection during the initial selection process.

This article is based on the assumption that the Trust Guard seal operates like the McAfee Secure seal, which for the most part is not correct.

When a customers' website fails a scan the seal is seldom if ever replaced by a 1x1 image. Our images are dynamically created daily and change from site to site, so storage size fluctuates too much for hackers to make use of that number.

As far as the delay in displaying current information, that is absolutely not the case with Trust Guard as we update each image as soon as the scan status changes.